Using https to secure the Web for journalism

From today, you now have an alternative web address to visit
the CPJ website. As well as our usual http://cpj.org/ address, you can visit our
site securely at https://cpj.org/.
We've turned on this feature to help protect our readers who are at risk of
surveillance and censorship, and as part of a wider advocacy mission to
encourage social networking and media sites to do the same.

Traditionally, websites have only served a few pages
securely. Your bank almost certainly uses a secure Web page to give your
account details; your favorite websites almost certainly will send you to a
secure page when they ask you to log in. You can tell when they do because the
address of the page starts with "https" rather than "http," and most browsers
will show a padlock icon when this happens.

But the vast majority of web pages use "http" and are sent
unencrypted and insecurely. Even websites like The New York Times and Washington
Post that do offer complete "https" versions of their sites often
do not publicize this secure alternative to their main address. Sites like Facebook
and Twitter
have secure versions, too, but they have been prone to breakdowns.

What does this mean for at-risk journalists? Unsecure,
unencrypted Web pages can be monitored by anyone who can tap Internet traffic
as it passes over telecommunications infrastructure. The online journalists we
document at CPJ are targeted by organizations or individuals with either local
regulatory power, or criminal influence, to do exactly that. If these
journalists are communicating using social networking sites or commenting on
media stories via unencrypted sessions, they are vulnerable to surveillance and
exposure by the lax default security of the majority of websites.

Securely served websites have another advantage in the fight
against state censorship of the press. Currently, the biggest pressure on
governments who decide to block key websites from their populations is the
clumsiness of those blocks. Citizens may be unaware of journalist intimidation
and censorship in their own countries, but if a regime has to block all of
YouTube or Facebook or a local social site to prevent damaging news from
spreading, the wired part of their public quickly recognizes and frequently
rebels against such a blatant trampling of their free speech.

But as we've noted before, Internet censorship is
getting subtler. Without https, it's possible for regimes to target and block
individual Web addresses rather than whole sites. They can also block pages on
an ad hoc basis, filtering on the basis of the presence of certain phrases on
the page, such as the name of an opposition leader or a rebellious province.

Sending Web pages securely stops both of these techniques.
If you can't spy on Web traffic, you can't scan for keywords. And if you can't
see which Web page a person is visiting on a site, you can't selectively block.
If more sites used https, censorship would remain clumsy--and visible.

Historically using https came with a cost: in computer
processing time, and in unavoidable delays encoding and decoding the data.
These days, those costs are far smaller, and the risks far
greater. Google, a company for which the smallest increases in processing
demands and transmission delays can cost millions, has begun to switch to
serving secure Web pages. After the attack on its servers by China, it turned
on secure Web pages by default for all of its
Gmail users. It now also offers an encrypted version of its search engine, at https://encrypted.google.com/.
Its engineers have proposed new techniques and standards that would make wider
use of https easier for other companies. And while journalists are in the frontline
for surveillance and censorship, the amount of private or valuable content
revealed by everyone through unsecured Web traffic is growing.

Switching to https is not without its challenges (our Web
developer John Emerson led us through the process), but the rewards are worth
it. It's time for more companies to turn on https for all their traffic: and it's
time for technologists to make it easier for them to do so. Doing so will make
the Internet safer for at-risk journalists and a free press, but it'll also
make it more secure and private for us all.

San Francisco-based CPJ Internet Advocacy Coordinator Danny O’Brien has worked globally as a journalist and activist covering technology and digital rights. Follow him on Twitter @danny_at_cpj.